Information Security News

Several critical vulnerabilities in the protocol implementation used to synchronize clock settings over the Internet are putting countless servers at risk of remote hijacks until they install a security patch, an advisory issued by the federal government warned.

The remote-code execution bugs reside in versions of the network time protocol prior to 4.2.8, according to an advisory issued Friday by the Industrial Control Systems Cyber Emergency Response Team. In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.

"Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the [network time protocol daemon] process," the advisory warned. Exploit code that targets the vulnerabilities is publicly available. It's not clear exactly what privileges NTP processes get on the typical server, but a handful of knowledgeable people said they believed it usually involved unfettered root access. Even if the rights are limited, it's not uncommon for hackers to combine exploits with privilege elevation attacks, which increase the system resources a targeted app has the ability to control.

The Google security team discovered several vulnerabilities in current NTP implementations, one of whichcan lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected.

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible.

Mitigating Circumstances:

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at ntp.org, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with thecryptokeyword in yourntp.conf">A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey.

[1]http://www.kb.cert.org/vuls/id/852879
[2]">In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.

The highly destructive malware believed to have hit the networks of Sony Pictures Entertainment contained a cocktail of malicious components designed to wreak havoc on infected networks, according to new technical details released by federal officials who work with private sector security professionals.

An advisory published Friday by the US Computer Emergency Readiness Team said the central malware component was a worm that propagated through the Server Message Block protocol running on Microsoft Windows networks. The worm contained brute-force cracking capabilities designed to infect password-protected storage systems. It acted as a "dropper" that then unleashed five components. The advisory, which also provided "indicators of compromise" that can help other companies detect similar attacks, didn't mention Sony by name. Instead, it said only that the potent malware cocktail had targeted a "major entertainment company." The FBI and White House have pinned the attack directly on North Korea, but so far have provided little proof.

"This worm uses a brute force authentication attack to propagate via Windows SMB shares," Friday's advisory stated. "It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2."

A cyber espionage campaign targeting activist groups in Syria is likely the work of the Islamic State of Iraq and Syria (ISIS), according to a report published on Thursday by CitizenLab, a research group at the University of Toronto’s Munk School of Global Affairs.

The attacks have targeted a group of Syrian activists, Raqqah Is Being Slaughtered Silently (RSS), that focuses on documenting human rights abuses in the Northern Syrian city of Ar Raqqah, which is currently occupied by ISIS, according to the analysis. The attacks used a tailored e-mail message to direct targeted users to an infected slide show, purportedly showing locations of ISIS forces and US airstrikes, but in reality, compromising the victim’s computer.

The attack does not result in remote access to a victim’s computer, but does result in a malicious program sending out occasional e-mail messages with data about the victim’s system and location, including the Internet protocol (IP) address, CitizenLab said in its analysis.

At the president's end-of-year speech on Friday afternoon, Barak Obama acknowledged the FBI's report claiming that North Korea was behind the November hack of Sony Pictures Entertainment and confirmed that the US would lay blame on the isolated nation for Sony's hack. The president promised a “proportional response,” but he did not give more details as to what that response would look like. “They caused a lot of damage, and we will respond,” Obama told the press. “It will be proportional, and it will be at the time and place that we choose; it's not something I'm going to announce at a press conference.”

The president continued, calling for the US government to help private interests shore up their security practices, although he was vague on details for that plan as well. “Part of the problem is you've got weak states that can engage in this kind of attack, you've got non-state actors, that's part of the reason we need to work with congress and get an actual bill passed to [help companies] prevent these attacks from taking place.”

When asked whether he thought Sony did the right thing in pulling the movie The Interview from theaters, the president spoke remarkably candidly. “Sony is a corporation, it suffered significant damage... I am sympathetic to the concerns that they faced. Having said all that, yes, I think they made a mistake.”

The Federal Bureau of Investigation's Washington press office has issued an update on the investigation into the cyber attack on Sony Pictures Entertainment, including the conclusion that North Korea was behind it.

“As a result of our investigation, and in close collaboration with other US government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the office said in a statement.

However, the information cited by the FBI’s update may not be as conclusive as many would like. Other hints at the attribution were provided to news organizations off-the-record, but the FBI’s public statements are far from definitive.

With two stories on the topic of bridging datacenters, youd think I was a real believer. And, yes, I guess I am, with a couple of important caveats.

The first is encapsulation overhead. As soon as you bridge using encapsulation, the maximum allowed transported packet size will shrink, then shrink again when you encrypt. If your Server OSs arent smart about this, theyll assume that since its all in the same broadcast domain, a full packet is of course OK (1500 bytes in most cases, or up to 9K if you have jumbo frames enabled). Youll need to test for this - both for replication and the failed-over configuration - as part of your design and test phase.

The second issue si that if you bridge datacenters to a DR or second (active) datacenter site, you are well positioned to fail over the entire server farm, as long as you can fail over your WAN connection and Internet uplink with them. If you dont, you end up with what Greg Ferro calls a network traffic trombone. (http://etherealmind.com/vmware-vfabric-data-centre-network-design/)

If you fail one server over, or if you fail over the farm and leave the WAN links behind, you find that the data to and from the server will traverse that inter-site link multiple times for any one customer transaction.

For instance, lets say that youve moved the active instance of your mail server to the DR Site. To check an email, a packet will arrive at the primary site, traverse to the mail server at site B, then go back to site A to find the WAN link to return to the client. Similarly, inbound email will come in on the internet link, but then have to traverse that inter-site link to find the active mail server.

Multiply that by the typical email volume in a mid-sized company, and you can see why this trombone issue can add up quickly. Even with a 100mb link, folks that were used to GB performance will now see their bandwidth cut to 50mb or likely less than that, with a comensurate impact on response times. If you draw this out, you do get a nice representation of a trombone - hence the name.

What this means is that you cant design your DR site for replication and stop there. You really need to design it for use during the emergency cases you are planning for. Consider the bandwidth impacts when you fail over a small portion of your server farm, and also what happens when your main site has been taken out (short or longer term) by a fire or electrical event - will your user community be happy with the results?

Let us know in our comment section how you have designed around this trombone issue, or if (as Ive seen at some sites), management has decided to NOT spend the money to account for this.

Its been a while since we talked about Disaster Recovery issues - the last diary I posted on this was on using L2TPv3 to bridge your Datacenter / Server VLAN to the same VLAN at a DR site, over an arbitrary Layer 3 network (https://isc.sans.edu/diary/8704)

Since then, things have changed. Theres a real push to move DR sites from a rack in a remote office location to recognized IaaS cloud locations. With that change comes new issues. If you are using your own servers in a colocation facility, or using IaaS VM instances, rack space for a physical router may either come with a price tag, or if its all virtual, there might be no rack space at all.

In my situation, I had two clients in this position. The first customer simply wanted to move their DR site from a branch office to a colocation facility. The second customer is a Backup-as-a-Service Cloud Service Provider, who is creating a DR as a service product. In the first situation, there was no rack space to be had. In the second situation, the last thing a CSP wants is to have to give up physical rack space for every customer, and then deploy CSP owned hardware to the client site - that simply does not scale. In both cases, a VM running a router instance was clearly the preferred (or only) choice.

Virtual routers with enterprise features have been around for a while - back in the day we might have looked at quagga or zebra, but those have been folded into more mature products these days. In our case, we were looking at Vyatta (now owned by Brocade), or the open-source (free as in beer) fork of Vyatta - Vyos (vyos.net). Cisco is also in the game, their 1000V product supports IOS XE - their bridge L2 over L3 approach uses OTV rather than L2TPv3 or GRE. Youll find that most router vendors now have a virtual product.

Anyway, Working with Vyatta/Vyos configs isnt like Cisco at all - their configs look a whole lot more like you might see in JunOS. While Vyos supports the L2TPv3 protocol we know and love, its a brand new feature, and it comes with a note from the developer if you find any bugs, send me an email (confidence inspiring, that). Vyatta doesnt yet have that feature implemented. So I decided to use GRE tunnels, and bridge them to an ethernet interface. Since this tunnel was going to run over the public internet, I encrypted/encapsulated the whole thing using a standard site-to-site IPSEC tunnel.font-family:" times="">The relevant configs look like the one below (just one end is shown) Note that this is not the entire config, and all IP">Please - use our comment form and let us know if youve used a different method ofline-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">First, define the bridge interface.Not that STP (Spanning Tree Protocol) is disabled.You likely want this disabled unless youline-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">The ETH0 interface is on the server VLAN (or port group if you are using standard ESXi vSwitches) this is the VLAN that you are bridging to the DR site.line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">The GRE tunnel is also bridged, and also doesnt have an IP address.The encapsulation of GRE-bridge is the same as GRE (IP protocol 47), but the gre-bridgeline-height:
normal">This stuff is all important for your security posture, but is not relevant to the tunneling or bridging, so Iline-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">line-height:
normal">mso-bidi-font-family:Symbol">Note that the peer IP is the public / NATmso-bidi-font-family:Symbol">IDs have to be created for each end - these routers use XAUTH when you define a pre-shared key, so to avoid having them use the FQDN, itmso-bidi-font-family:Symbol">The traffic match for encryption is defined by the source prefix+destination prefix+protocol.In our case, its the management IP of the customer router ANDthe matching IP on the cloud router ANDGREmso-bidi-font-family:Symbol">mso-bidi-font-family:Symbol">Take some care in defining the pre-shared key.If a word occurs on your corporate website, facebook page, or linkedin (or in a dictionary), its a bad choice, LEET-speak or no.mso-bidi-font-family:Symbol">We set both ends to initiate, which enables both init and respond.This allows either end to start the tunnel

In a message sent to company executives, someone claiming to represent the hacker group calling itself the Guardians of Peace has given Sony Pictures Entertainment the go-ahead to release the film The Interview—with some minor caveats. First of all, they want any death scene for Kim Jong-un dropped from the film.

"This is GOP. You have suffered through enough threats," the message, which was also posted to Pastebin, read. "The interview may release now. But be careful. September 11 may happen again if you don't comply with the rules: Rule #1: no death scene of Kim Jong Un being too happy; Rule #2: do not test us again ; Rule #3: if you make anything else, we will be here ready to fight."

Sony dropped plans for the release of the film following the cancellation of screenings by major theater chains.

A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.

The attackers took control of the factory's production network through a spear phishing campaign, IDG said, citing a report published Wednesday by the German government's Federal Office for Information Security. Once the attackers compromised the network, individual components or possibly entire systems failed. IDG reporter Loek Essers wrote:

Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.”

The attack involved the compromise of a variety of different internal systems and industrial components, BSI said, noting that not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process.

LinuxSecurity.com: Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security [More...]

LinuxSecurity.com: Updated jasper packages that fix three security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security [More...]